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Sullivan, Mary Beth 



From: Sullivan, Mary Beth 

Sent: Thursday, July 06, 2006 1 :55 PM 

To: Stachnik, Walter J.; Andrews, Kelly J. 

Subject: FW: ENF ex-employee 

This is pretty confusing. 
Mary Beth 

Original Message 

From: Wilson, David 

Sent: Thursday, July 06, 2006 12:40 PM 

To: Sullivan, Mary Beth; Gerrity, Joseph; Booth, Corey; Hernandez, Juanita C. 

Cc: Corrie, James A. ; Staiger, Charles 

Subject: KEi ENF ex-employee 

I think this is a final report: 

I interviewed Chuck Staiger, who told me he preserved this account at the direction of 
Juanita Hernandez with the Office of the General Counsel^ which launched an investigation 
of the user, Gary Aguirre, prior' to his departure in Sept. 2005. Mr. Aguirre was separated 
from the agency while on vacation (which explains why the Out of Office Autoreply feature 
on his email account was declaring that he'll be back in September) . Ms. Hernandez told me 
that in preparation for the separation, OGC directed Mr, Staiger* s office to "freeze" the 
subject's information technology assets. Presumably the subject's laptop and external 
storage devices were secured (I don't know and haven't asked). The e-mail account was 
"disabled," meaning the subject could not log into it. While the subject himself has not 
accessed SEC systems since September 2005, the email account still existed. One log entry 
notes that it was accessed in May 2006; I have not attempted to discover who accessed it 
or what was done (again because this is an ongoing investigation) and it's possible this 
is an artifact, since such log entries can be generated by something as simple as the an 
update to the anti-viral software. The email account may have been accepting mail all this 
time; I haven't dug down that deep (and I was also frankly worried about muddying the 
waters of what appears to be an active investigation) . Issues I still haven't resolved: 
Does somebody else have access to this account? Was/is mail for this account being 
forwarded? Ms. Hernandez says she is not reading mail sent to the account; 1 have not 
pursued this issue beyond her. My concern at this point is that the the data in that 
account has not been fixed in place; that is, the account appears to me to be live and it 
is possible that someone has been accessing the account (though not Mr. Aguirre) . Put 
simply, I think it might be difficult to successfully present a chain of custody claim for 
this account. I would recommend that, if the account is/might be needed for legal action 
that it be forensically copied onto a hard drive using the agency's current EnCase 
standard and that hard drive secured as evidence. I presume that the user's laptop has 
been secured in some fashion all this time; I recommend that similar steps be taken with 
that laptop's hard drive. And finally, we have removed Mr. Aguirre *s name from the Outlook 
address database, but if you know the address already you can apparently still send email 
to the account. The autoreply feature has apparently been successfully shut down. 

And finally, I've suggested to Ms. Hernandez that OIT Security and OIG get together for a 
meeting to talk about how the technology works and so they can educate us about their 
needs . 

-dave 

--Original Message 

From: Sullivan, Mary Beta 

Sent: Thursday, June 29, 2 006 3:38 PM 

To: Wilson, David; Gerrity, Joseph; Booth, Corey 

Cc: Corrie, James A.; Wiederkehr, David 

CQOJ3J59 . 
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